TWI745227B - Communication system and communication method for performing third party authentication between home service and foreign service - Google Patents
Communication system and communication method for performing third party authentication between home service and foreign service Download PDFInfo
- Publication number
- TWI745227B TWI745227B TW110103666A TW110103666A TWI745227B TW I745227 B TWI745227 B TW I745227B TW 110103666 A TW110103666 A TW 110103666A TW 110103666 A TW110103666 A TW 110103666A TW I745227 B TWI745227 B TW I745227B
- Authority
- TW
- Taiwan
- Prior art keywords
- server
- foreign
- original
- control module
- fog
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1073—Registration or de-registration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/1045—Proxies, e.g. for session initiation protocol [SIP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/1063—Application servers providing network services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4588—Network directories; Name-to-address mapping containing mobile subscriber information, e.g. home subscriber server [HSS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Multimedia (AREA)
- Business, Economics & Management (AREA)
- Power Engineering (AREA)
- Accounting & Taxation (AREA)
- General Business, Economics & Management (AREA)
- Telephonic Communication Services (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
Description
本發明關於通訊技術領域,特別是通訊之認證技術領域。The present invention relates to the field of communication technology, especially the field of communication authentication technology.
隨著通訊技術的發展,雲端(cloud)的通訊服務已廣為人知,而霧端(fog)的通訊服務也逐漸興起。然而,雲端通訊及霧端通訊的速度通常比不上本地端的電信服務(或稱為邊界(edge)服務),因此當使用者需求高頻寬或低延遲的傳輸品質時,還是需要使用本地端的業者所提供的電訊服務。目前使用者若要使用雲端服務、霧端服務及邊界服務,不僅在雲端必須具備帳戶,在霧端或邊界也必須具備帳戶,且必須切換帳戶才能使用三者的服務,如此會造成不方便。此外,目前雲端、霧端與邊界採用不同的通訊協定,因此三者系統間難以進行溝通。With the development of communication technology, cloud communication services have become widely known, and fog communication services have gradually emerged. However, the speed of cloud communication and fog-end communication is usually not as fast as that of local telecommunication services (or called edge services). Therefore, when users need high-frequency bandwidth or low-latency transmission quality, they still need to use the local operators. Telecommunications services provided. At present, if users want to use cloud services, fog services, and border services, they must not only have an account on the cloud, but also must have an account on the fog or border, and they must switch accounts to use the three services, which will cause inconvenience. In addition, the current cloud, fog end, and boundary use different communication protocols, so it is difficult to communicate between the three systems.
有鑑於此,本發明提供一種改良的通訊系統及通訊方法,來解決上述的問題。In view of this, the present invention provides an improved communication system and communication method to solve the above-mentioned problems.
基於上述目的,本發明提供了一種通訊系統,用於進行原始服務端與外地服務端之間的一第三方認證,其中原始服務端及外地服務端的類型包含雲端、邊界或霧端。通訊系統包含:設置於通用代理伺服器中的控制模組及運作模組。通用代理伺服器經由雲端轉發端與雲端進行通訊、經由邊界轉發端與邊界進行通訊以及經由霧端轉發端與霧端進行通訊。其中,控制模組根據原始服務端及外地服務端的類型,從運作模組中選擇其中至少二者進行第三方認證。Based on the above objective, the present invention provides a communication system for performing a third-party authentication between the original server and the foreign server, where the types of the original server and the foreign server include cloud, border, or fog. The communication system includes: a control module and an operation module set in a general proxy server. The universal proxy server communicates with the cloud through the cloud forwarding terminal, communicates with the boundary through the boundary forwarding terminal, and communicates with the fog terminal through the fog terminal. Among them, the control module selects at least two of the operation modules for third-party authentication according to the types of the original server and the foreign server.
此外,本發明另提供一種通訊方法,透過通訊系統執行,以進行原始服務端與外地服務端之間的第三方認證,其中原始服務端及外地服務端的類型包含雲端、邊界或霧端,且通訊系統包含控制模組及運作模組。通訊方法包含步驟:藉由控制模組,根據原始服務端及外地服務端的類型,從運作模組中選擇其中至少二者進行第三方認證;其中控制模組及運作模組設置於通用代理伺服器中,且通用代理伺服器經由雲端轉發端與雲端進行通訊、經由邊界轉發端與邊界進行通訊以及經由霧端轉發端與霧端進行通訊。In addition, the present invention also provides a communication method that is executed through a communication system to perform third-party authentication between the original server and the foreign server. The types of the original server and the foreign server include cloud, border, or fog, and communication The system includes a control module and an operation module. The communication method includes the steps: using the control module, according to the type of the original server and the foreign server, select at least two of the operation modules for third-party authentication; wherein the control module and the operation module are set on the general proxy server And the universal proxy server communicates with the cloud through the cloud forwarding terminal, communicates with the boundary through the boundary forwarding terminal, and communicates with the fog terminal through the fog terminal.
以下將透過多個實施例說明本發明的實施態樣及運作原理。本發明所屬技術領域中具有通常知識者,透過上述實施例可理解本發明的特徵及功效,而可基於本發明的精神,進行組合、修飾、置換或轉用。Hereinafter, the implementation mode and operation principle of the present invention will be described through a number of embodiments. Those with ordinary knowledge in the technical field of the present invention can understand the features and effects of the present invention through the above-mentioned embodiments, and can make combinations, modifications, substitutions or transfers based on the spirit of the present invention.
本文所指的“連接”一詞係包括直接連接或間接連接等態樣,且並非限定。本文中關於”當…”、”…時”的一詞係表示”當下、之前或之後”,且並非限定。The term "connected" referred to herein includes direct connection or indirect connection, etc., and is not limiting. The terms "when..." and "...when" in this article mean "now, before or after", and are not limiting.
本文中所使用的序數例如“第一”、 “第二”等之用詞,是用於修飾請求元件,其本身並不意含及代表該請求元件有任何之前的序數,也不代表某一請求元件與另一請求元件的順序、或是製造方法上的順序,該些序數的使用僅用來使具有某命名的一請求元件得以和另一具有相同命名的請求元件能作出清楚區分。The ordinal numbers used in this article, such as "first", "second", etc., are used to modify the request element, and it does not imply and represent that the request element has any previous ordinal number, nor does it represent a request The order of the element and another request element, or the order in the manufacturing method, the use of these ordinal numbers is only used to clearly distinguish a request element with a certain name from another request element with the same name.
本文記載多個功效(或元件)時,若在多個功效(或元件)之間使用「或」一詞,係表示功效(或元件)可獨立存在,但亦不排除多個功效(或元件)可同時存在的態樣,換言之,只要描述的態樣合理,「或」一詞包含「及」之態樣。When multiple functions (or elements) are described herein, if the word "or" is used between multiple functions (or elements), it means that the functions (or elements) can exist independently, but it does not exclude multiple functions (or elements). ) Can exist at the same time, in other words, as long as the description is reasonable, the word "or" includes the state of "and".
為使本文的說明簡潔,若本發明的元件具有本領域技術人士慣用的英文縮寫名稱,則該元件除了第一次被提及將詳述其中文名稱外,其餘段落將直接以其英文縮寫名稱來表示。In order to make the description of this text concise, if the element of the present invention has the English abbreviation commonly used by those skilled in the art, the element will be directly referred to in its English abbreviation except for its Chinese name when it is mentioned for the first time. To represent.
圖1是本發明一實施例的通訊系統1的系統架構圖。如圖1所示,本發明的通訊系統1可透過一通用代理伺服器2的一控制模組21來執行原始服務端(home)與外地服務端(foreign)之間的第三方認證,其中原始服務端可以是一雲端服務端(cloud)3a(以下簡稱原始雲端3a)、一邊界服務端(edge)4a(以下簡稱原始邊界4a)或一霧端服務端(fog)5a(以下簡稱原始霧端5a),而外地服務端可以是一雲端服務端3b(以下簡稱外地雲端3b)、一邊界服務端4b(以下簡稱外地邊界4b)或一霧端服務端5b(以下簡稱外地霧端5b)。本發明的目的是使原始服務端的帳戶可直接使用外地服務端的服務而無須再於外地服務端進行註冊,其中原始服務端可定義為該帳戶有註冊的服務端,外地服務端可定義為該帳戶尚未註冊的服務端。原始服務端的帳戶可透過一使用者設備6取得原始服務端或外地服務端提供的各種通訊服務。FIG. 1 is a system architecture diagram of a
在一實施例中,本發明的通訊系統1可包含通用代理伺服器2的硬體設備及至少一部份軟體。在另一實施例中,本發明的通訊系統1可包含代理伺服器2的至少一部份軟體,例如僅包含控制模組21。In one embodiment, the
在一實施例中,使用者設備6可例如是具備物聯網(Internet of Things,IoT)功能的電子設備,例如筆記型電腦、平板電腦、桌上型電腦、智慧型手機、各種智慧型攜帶裝置等,且不限於此。In one embodiment, the
在一實施例中,原始雲端3a及外地雲端3b可例如是谷歌(Google)、亞馬遜(Amazon)、T-Mobile等不同電子商務公司的通訊服務系統,而原始雲端3a及外地雲端3b的服務可例如是這些電子商務公司所提供的各種雲端服務,例如基礎設施即服務(infrastructure as a service,IaaS)、軟體即服務(software as a service,SaaS)或平台即服務(platform as a service,PaaS)等,且不限於此。此外,原始邊界4a及外地邊界4b可例如是不同電信公司的通訊服務系統,例如中華電信(Hinet)、遠傳電信(FETnet)、AT&T行動(AT&T mobile)、T行動(T-Mobile)或威訊(Verizon)等,而原始邊界4a及外地邊界4b的服務是各電信業者所提供的服務,例如第三代合作夥伴計劃(third generation partnership project,以下簡稱3GPP)、第三代行動通訊技(third generation,3G)、第四代行動通訊技術(fourth generation,4G)或第五代行動通訊技術(fifth generation,5G),且不限於此。另外,原始霧端5a及外地霧端5b可例如是不同的霧運算通訊服務系統,例如Veniam、Embotech GmbH、Shield AI、SONM及FogHorn Systems等,且不限於此。In one embodiment, the
在一實施例中, 原始雲端3a及外地雲端3b所使用的通訊協定為開放式身分連結(open identify connect,以下簡稱OIDC)。為了進行OIDC的相關認證,原始雲端3a及外地雲端3b可各自包含一身分提供器(open identify provider,以下簡稱IdP)、一中轉元件(relying party,以下簡稱RP)及/或一資料端點(information endpoint)(圖未顯示)。IdP、RP及資料端點已為本領域技術人士已知的技術內容,故不再詳述其細節。In one embodiment, the communication protocol used by the
在一實施例中,原始邊界4a及外地邊界4b所使用的通訊協定為3GPP,並以演進分封系統之認證與密鑰協商協議(evolved packet system,EPS-AKA)做為其認證機制。為了進行EPS-AKA相關認證,原始邊界4a及外地邊界4b各自包含一移動管理元件(mobility management entity,以下簡稱MME)及/或一家用訂閱者伺服器(home subscriber server,以下簡稱HSS)(圖未顯示)。MME及HSS已為本領域技術人士已知的技術內容,故不再詳述其細節。In an embodiment, the communication protocol used by the
在一實施例中,原始霧端5a及外地霧端5b所使用的通訊協定則可能為OIDC或IEEE 802.1x(下文中直接以802.1x)表示。當原始霧端5a及外地霧端5b使用OIDC時,為了進行OIDC的相關認證,原始霧端5a及外地霧端5b可能包含IdP、RP及/或資料端點(圖未顯示)。而當原始霧端5a及外地霧端5b使用802.1x時,為了進行802.1x的相關認證,原始霧端5a及外地霧端5b可能包含一認證伺服器(authentication server,AS)及/或一存取節點(access point,AP)(圖未顯示)。AS及AP已為本領域技術人士已知的技術內容,故不再詳述其細節。In one embodiment, the communication protocol used by the
此外,為方便說明,下文中關於原始服務端的帳戶欲透過使用者設備6使用外地服務端的跨界服務將直接以「home-to-foreign」的方式來表示,舉例來說,當原始雲端3a的帳戶欲使用未註冊過的外地邊界4b的服務時,此跨界服務將直接以「cloud-to-edge」來表示;而當原始雲端3a的帳戶欲使用未註冊過的外地霧端5b的服務時,且外地霧端5b使用的通訊協定為OIDC時,則此跨界服務將直接以「cloud-to-fog(OIDC)」來表示。請依此類推其它情況。據此,本發明的通訊系統1能支援的跨界服務至少有cloud-to-edge、cloud-to-fog(OIDC)、cloud-to-fog(802.1x)、cloud-to-cloud、edge-to-edge、edge-to-fog(OIDC)、edge-to-fog(802.1x)、edge-to-cloud、fog(OIDC)-to-edge、fog(OIDC)-to-fog(OIDC)、fog(OIDC)-to-fog(802.1x)、fog(OIDC)-to-cloud、fog(802.1x)-to-edge、fog(802.1x)-to-fog(OIDC)、fog(802.1x)-to-fog(802.1x)及fog(802.1x)-to-cloud。此外,本發明亦可進行擴充,進而支援更多不同通訊協定的通訊服務系統。In addition, for the convenience of explanation, the following text about the original server account that wants to use the cross-border service of the foreign server through the
如圖1所示,為實現各種跨界服務的第三方認證,本發明的通訊系統1的通訊環境可由通用代理伺服器2、至少一原始服務端(原始雲端3a、原始邊界4a及/或原始霧端5a)、至少一原始轉發端(home relay)(雲端轉發端7a、邊界轉發端8a及/或霧端轉發端9a)、至少一外地服務端(外地雲端3b、外地邊界4b及/或外地霧端5b)、至少一與外地轉發端(foreign relay)(雲端轉發端7b、邊界轉發端8b及/或霧端轉發端9b)及使用者設備6來實現。進一步地,每個服務端(原始及外地)與通用代理伺服器2之間的每個通訊路徑上皆設置有一個轉發端,以轉發服務端與通用代理伺服器2之間的訊息,其中原始轉發端的類型可包含一雲端轉發端(cloud relay,以下簡稱CR)7a、一邊界轉發端(edge relay,以下簡稱ER)8a或一霧端轉發端(fog relay,以下簡稱FR)9a,而外地轉發端的類型可包含一CR(雲端轉發端)7b、一ER(邊界轉發端)8b或一FR(霧端轉發端)9a。As shown in Figure 1, in order to realize the third-party authentication of various cross-border services, the communication environment of the
需注意的是,本發明的通訊系統1可運作於單一原始服務端及單一外地服務端的情況,也可以運作於多個原始服務端及多個外地服務端的情況。It should be noted that the
此外,通訊系統1更具有複數個運作模組22~28。運作模組22~28可設置於通用代理伺服器2之中,其中控制模組21可控制運作模組22~28進行各種跨界服務的第三方認證所需的運作。此外,控制模組21可根據原始服務端及外地服務端的型態,從運作模組22~28之中選擇至少二者來進行第三方認證所需的運作;換言之,不同跨界服務需使用不同的運作模組22~28。In addition, the
在一實施例中,運作模組22~28的類型可包含一虛擬身分提供器(virtual open identify provider,以下簡稱vIdP)22、一虛擬使用者設備(virtual user equipment,以下簡稱vUE)23、一虛擬移動管理元件(virtual mobility management entity,以下簡稱vMME)24、一虛擬中轉元件(virtual relying party,以下簡稱vRP)25、一虛擬使用者(virtual user,以下簡稱vUSER)26、一虛擬家用訂閱者伺服器(virtual home subscriber server,以下簡稱vHSS)27及一虛擬驗證伺服器(virtual authentication server,以下簡稱vAS)28。為方便說明,下文中將直接以英文簡寫代表各運作模組。此外,只要可實現,通用代理伺服器2中的運作模組22~28可依照需求任意增減。In one embodiment, the types of operating modules 22-28 may include a virtual open identify provider (vIdP) 22, a virtual user equipment (vUE) 23, a Virtual mobility management entity (vMME) 24, a virtual relying party (vRP) 25, a virtual user (vUSER) 26, a virtual home subscription A virtual home subscriber server (virtual home subscriber server, hereinafter referred to as vHSS) 27 and a virtual authentication server (hereinafter referred to as vAS) 28. For the convenience of explanation, the English abbreviation will be used to directly represent each operation module in the following. In addition, as long as it is achievable, the operating modules 22-28 in the
在一實施例中,控制模組21可以是通用代理伺服器2的一控制晶片,在另一實施例中,控制模組21可以是通用代理伺服器2的一微處理器或一微控制器所執行的電腦程式產品(軟體)或韌體。在一實施例中,運作模組22~28可由通用代理伺服器2中的硬體元件搭配軟體或韌體而實現,在另一實施例中,運作模組22~28即為軟體或韌體本身。在控制模組21及運作模組22~28皆為軟體的情況下,控制模組21及運作模組22~28可整合在一起,例如控制模組21為主程式,而運作模組22~28為子程式。本發明不限於此。藉此,控制模組21及運作模組22~28的實施方式已可被了解。In one embodiment, the
接著說明運作模組22~28的功能:Next, the functions of operation modules 22-28 are described:
vIdP(虛擬身分提供器)22:可用於與使用OIDC的外地服務端進行通訊,例如可透過CR 7b而與外地雲端3b進行通訊,或者透過FR 9b而與使用OIDC的外地霧端5b進行通訊。vIdP (Virtual Identity Provider) 22: can be used to communicate with a foreign server using OIDC, for example, it can communicate with a
vUE(虛擬使用者設備)23:可用於與原始服務端的邊界4a進行通訊,例如可透過ER 8a而與原始邊界4a的MME進行通訊。vUE (Virtual User Equipment) 23: can be used to communicate with the
vMME(虛擬移動管理元件)24:可用於與通用代理伺服器2的vHSS 27進行通訊,或者可用於與原始服務端的邊界4a進行通訊,例如可透過ER 8a而與原始邊界4a的HSS進行通訊。vMME (Virtual Mobility Management Element) 24: can be used to communicate with the
vRP(虛擬中轉元件)25:可用於與使用OIDC的原始服務端進行通訊,例如可透過CR 7a與原始雲端3a的IdP進行通訊,或者可透過FR 9a與原始霧端5a的IdP進行通訊。vRP (Virtual Relay Component) 25: It can be used to communicate with the original server using OIDC, for example, it can communicate with the IdP of the
vUSER(虛擬使用者)26:可用於與使用OIDC及802.1x的原始服務端進行通訊,例如可透過CR 7a與原始雲端3a的資料端點進行通訊,或可透過FR 9a與霧端5a的資料端點進行通訊。vUSER (virtual user) 26: can be used to communicate with the original server using OIDC and 802.1x, for example, it can communicate with the data endpoint of the
vHSS(虛擬家用訂閱者伺服器)27: 可用於與通用代理伺服器2的vMME 24進行通訊,或者可用於與使用3GPP的外地服務端進行通訊,例如透過ER 8b與外地邊界4b的MME進行通訊。vHSS (Virtual Home Subscriber Server) 27: It can be used to communicate with the
vAS(虛擬驗證伺服器)28:可用於與使用802.1x通訊協定的外地服務端進行通訊,例如可透過FR 9b與外地霧端5b的AS進行通訊。vAS (Virtual Authentication Server) 28: It can be used to communicate with a foreign server that uses the 802.1x protocol, for example, it can communicate with the AS of the
此外,根據原始服務端及外地服務端的不同,控制模組21將使用不同的運作模組來進行第三方認證。圖2(A)是本發明一實施例的原始服務端及外地服務端所對應的運作模組的彙整示意圖。In addition, according to the difference between the original server and the foreign server, the
如圖2(A)所示,跨界服務為cloud-to-edge時,控制模組21啟動vHSS 27及vUSER 26。As shown in Figure 2(A), when the cross-border service is cloud-to-edge, the
edge-to-edge時,控制模組21啟動vHSS 27及vMME 24。When edge-to-edge, the
fog(OIDC)-to-edge時,控制模組21啟動vHSS 27及vUSER 26。When fog(OIDC)-to-edge, the
fog(802.1x)-to-edge時,控制模組21啟動vHSS 27及vUSER 26。When fog(802.1x)-to-edge, the
cloud-to-cloud時,控制模組21啟動vIdP 22及vRP 25。During cloud-to-cloud, the
edge-to-cloud時,控制模組21啟動vIdP 22及vUE 23。During edge-to-cloud, the
fog(OIDC)-to-cloud時,控制模組21啟動vIdP 22及vRP 25及vUSER 26。When fog(OIDC)-to-cloud, the
fog(802.1x)-to-cloud時,控制模組21啟動vIdP 22及vUSER 26。When fog(802.1x)-to-cloud, the
cloud-to-fog(OIDC)時,控制模組21啟動vIdP 22及vRP 25。In the case of cloud-to-fog (OIDC), the
edge-to-fog(OIDC)時,控制模組21啟動vIdP 22及vUE 23。In the case of edge-to-fog (OIDC), the
fog(OIDC)-to-fog(OIDC)時,控制模組21啟動vIdP 22、vRP 25及vUSER 26。When fog(OIDC)-to-fog(OIDC), the
fog(802.1x)-to-fog(OIDC)時,控制模組21啟動vIdP 22及vUSER 26。When fog(802.1x)-to-fog(OIDC), the
cloud-to-fog(802.1x)時,控制模組21啟動vAS 28及vUSER 26。In the case of cloud-to-fog (802.1x), the
edge-to-fog(802.1x)時,控制模組21啟動vAS 28及vUE 23。In the case of edge-to-fog (802.1x), the
fog(OIDC)-to-fog(802.1x)時,控制模組21啟動vAS 28及vUSER 26。When fog(OIDC)-to-fog(802.1x), the
fog(802.1x)-to-fog(802.1x)時,控制模組21啟動vAS 28及vUSER 26。When fog(802.1x)-to-fog(802.1x), the
由此可知,通訊系統1必須辨識跨界服務的類型,才能啟動合適的運作模組22~28。也因此,本發明的技術重點之一為「如何辨識原始服務端及外地服務端的類型」。為了讓通用代理伺服器2能夠辨識原始服務端及外地服務端的類型,進而進行不同的認證流程,通訊系統1可執行特殊的通訊方法。It can be seen that the
需注意的是,為使流程更簡單清楚,下文中各種流程步驟可能會省略各服務端與通用代理伺服器2之間透過轉發端轉發訊息的步驟,但實際上原始服務端與通用代理伺服器2之間的訊息以及外地服務端與通用代理伺服器2之間的訊息皆必須經由相對應的轉發端做為中間媒介負責轉發。It should be noted that, in order to make the process simpler and clearer, the various process steps below may omit the step of forwarding messages between each server and the
圖2(B)是本發明一實施例的通訊方法的步驟流程圖,並請同時參考圖1至圖2(A)。如圖2(B)所示,當原始服務端的帳戶欲使用外地服務端的帳戶時,使用者設備6傳送一服務請求訊息至外地服務端,而外地服務端進一步將服務請求訊息傳送至通用代理伺服器2。當通用代理伺服器2接收到服務請求訊息時,步驟S1被執行,控制模組21執行一起始階段程序,用以建立即將使用的運作模組22~28與相對應的轉發端之間的通訊連結。之後步驟S2被執行,控制模組21執行一運作階段程序,用以處理原始服務端及外地服務端之間的認證過程。此外,控制模組21亦可執行一實體插入及查找建立程序,用以建立一查找資料表單,其中查找資料表單可記錄原始服務端及外地服務端的資訊,以供運作階段程序時使用。當原始服務端及外地服務端的認證完成後,外地服務端即可對使用者設備6提供服務,藉此原始服務端的帳戶可使用外地服務端的服務。需注意的是,起始階段程序、運作階段程序及實體插入及查找建立程序之間的順序僅是舉例而非限定,例如起始階段程序及運作階段程序亦可同時執行。FIG. 2(B) is a flowchart of the steps of a communication method according to an embodiment of the present invention, and please refer to FIGS. 1 to 2(A) at the same time. As shown in Figure 2(B), when the account of the original server wants to use the account of the foreign server, the
接著將分別說明各程序的細節。Next, the details of each program will be explained separately.
首先說明「起始階段程序」的細節。圖3是本發明一實施例的通訊方法的起始階段程序的步驟流程圖,並請同時參考圖1至圖2(B)。First, the details of the "initial stage program" will be explained. FIG. 3 is a step flow chart of the initial stage program of the communication method according to an embodiment of the present invention, and please refer to FIG. 1 to FIG. 2(B) at the same time.
首先步驟S11被執行,通用代理伺服器2接收一服務端透過一轉發端傳送的服務請求訊息。First, step S11 is executed. The
之後步驟S12被執行,控制模組21辨識轉發端的類型。在一實施例中,通用代理伺服器2可預先記錄與每個原始轉發端及外地轉發端之間的連結路徑,因此控制模組21只要將目前的連結路徑與預先記錄的資料進行匹配,即可辨識出轉發端的類型。Then step S12 is executed, and the
當控制模組21辨識出轉發端為CR 7b時,步驟S13(a)被執行,控制模組21啟動vIdP 22與CR 7b之間的通訊連結,使vIdP 22可與CR 7b收發訊息,並儲存CR 7b的相關資訊。在一實施例中,轉發端(例如CR 7b)的相關資訊可包含分配到的雲端身分(assigned cloud ID)、雲端轉發端身分(Cloud relay ID)及映射資訊(mapping informaion)。在一實施例中,控制模組21可能同時接收到多個CR 7b的服務請求訊息,因此步驟S13(b)可被執行,控制模組21可判斷通用代理伺服器2是否接收到其它CR 7b所傳送的服務請求訊息,若有收到則再次執行步驟S13(a),反之則完成起始階段程序。When the
當轉發端為ER 8b時,步驟S14(a)被執行,控制模組21啟動vHSS 27與ER 8b之間的通訊連結,使vHSS 27可與ER 8b收發訊息,以及儲存ER 8b的相關資訊。在一實施例中,步驟S14(b)可被執行,控制模組21可判斷通用代理伺服器2是否接收到其它ER 8b所傳送的服務請求訊息,若有收到則再次執行步驟S14(a),反之則完成起始階段程序。When the forwarding end is the
當轉發端為FR 9b時,由於對應的外地霧端5b所使用通訊協定可能為OIDC或802.1x,因此步驟S15(a)先被執行,控制模組21辨識外地霧端5b所使用的通訊協定,其中辨識通訊協定的方法可例如以“嘗試登入(trying to login)”來實現,舉例來說,假如登入方式是透過一存取點,則控制模組21可辨識出通訊協定為802.1x,又假如登入方式是透過一網頁,則控制模組21可辨識出通訊協定為OIDC。When the forwarding terminal is
當通訊協定為OIDC時,步驟S15(b)被執行,控制模21組啟動vIdP 22與FR 9b之間的通訊連結,使vIdP 22可與FR 9b收發訊息,並儲存FR 9b的相關資訊。之後,步驟S15(c)可被執行,控制模組21可判斷通用代理伺服器2是否接收到其它FR 9b所傳送的服務請求訊息,若有收到則再次執行步驟S15(b),若無收到則完成起始階段程序。When the communication protocol is OIDC, step S15(b) is executed, and the
當通訊協定為802.1x時,步驟S15(d)可被執行,控制模組啟動vAS 28與FR 9b間的通訊連結,並儲存FR 9b的相關資訊。之後,步驟S15(c)可被執行,控制模組21可判斷通用代理伺服器2是否接收到其它FR 9b所傳送的服務請求訊息,若有收到則再次執行步驟S15(d),反之則完成起始階段程序。藉此,起始階段程序的細節已可被理解。When the communication protocol is 802.1x, step S15(d) can be executed, and the control module activates the communication link between
接著將說明運作階段程序的細節。圖4是本發明一實施例的通訊方法的運作階段程序的主要步驟流程圖,並請同時參考圖1至圖3。Next, the details of the operation phase procedure will be explained. FIG. 4 is a flowchart of the main steps of the operation phase procedure of the communication method according to an embodiment of the present invention, and please refer to FIGS. 1 to 3 at the same time.
首先步驟S21被執行,通用代理伺服器2接收來自外地轉發端(CR 7b、ER 8b、FR 9b)的服務請求訊息。First, step S21 is executed, and the
之後步驟S22被執行,控制模組21根據服務請求訊息的格式(例如通訊協定),辨識出外地服務端的類型。在一實施例中,依照通訊協定區分,服務請求訊息的類型可包含一第一格式服務請求訊息、一第二格式服務請求訊息及一第三格式服務請求訊息,其中第一格式服務請求訊息為遠端認證撥接使用者服務存取請求訊息(remote authentication dial in user service access request,以下簡稱為RADIUS access request),其可對應通訊協定802.1x;第二格式服務請求訊息為使用者設備登入請求訊息(user login request,以下簡稱為UE login request),其可對應通訊協定3GPP;第三格式服務請求訊息為客戶身分傳遞認證請求訊息(authentication request passing client_id,以下簡稱為auth request passing client_id),其可對應通訊協定OIDC。上述訊息格式僅是舉例,本發明可不限於此。Then step S22 is executed, and the
當服務請求訊息為第一格式服務請求訊息(RADIUS access request)時,步驟S23(a)被執行,控制模組21啟動vAS 28接收服務請求訊息,並使vAS 28進入等待狀態。此外,步驟S23(b)亦被執行,控制模組21透過FR 9b及外地霧端5b提供一登入選項至使用者設備6,以供使用者設備6選擇執行認證的原始服務端。接著步驟S24被執行,控制模組21根據使用者設備6回傳的登入選項而執行一第一使用者認證程序,第一使用者認證程序定義為當外地服務端為使用802.1x的外地霧端5b時,原始服務端及外地服務端所需進行的認證程序(亦可稱之為user authentication for 802.1x fog)。當第一使用者認證程序完成後,外地霧端5b即可對原始服務端的帳戶提供服務。When the service request message is the first format service request message (RADIUS access request), step S23(a) is executed, and the
而當服務請求訊息為第二格式服務請求訊息(UE login request)時,步驟S25(a)被執行,控制模組21啟動vHSS 27以接收服務請求訊息,並使vHSS 27進入等待狀態。此外,步驟S25(b)亦被執行,控制模組21透過ER 8b及外地邊界4b提供登入選項至使用者設備6,以供使用者設備6選擇進行認證的原始服務端。接著步驟S26被執行,控制模組21根據使用者設備6回傳的登入選項而執行一第二使用者認證程序,第二使用者認證程序定義為外地服務端為使用3GPP的邊界4b時,原始服務端及外地服務端所需進行的認證程序(亦可稱之為user authentication for 3GPP edge)。當第二使用者認證程序完成後,外地邊界4b即可對原始服務端的帳戶提供服務。When the service request message is the second format service request message (UE login request), step S25(a) is executed, and the
而當服務請求訊息為第三格式服務請求訊息(Auth Request passing client_id)時,步驟S27(a)被執行,控制模組21啟動vIdP 22以接收服務請求訊息。由於OIDC的認證機制尚需使用者設備6回傳第二格式服務請求訊息(UE login request),vIdP 22才會進行後續運作,因此步驟S28被執行,控制模組判斷通用代理伺服器是否接收到使用者設備登入請求訊息。When the service request message is the third format service request message (Auth Request passing client_id), step S27(a) is executed, and the
若無接收到,則控制模組21使通用代理伺服器6停止運作;若有接收到,則步驟S29被執行,控制模組透過CR 7b及外地雲端3b(或者FR 9b及外地霧端5b(通訊協定為OIDC))而提供登入選項給使用者設備6。If it is not received, the
接著步驟S30被執行,控制模組21根據使用者設備6回傳的登入選項而執行一第三使用者認證程序,其定義為外地服務端為使用OIDC的外地雲端3b或外地霧端5b時,原始服務端及外地服務端所需進行的認證程序,故第三使用者認證程序亦可稱為用於OIDC雲端或OIDC霧端的使用者認證(亦可稱之為user authentication for OIDC cloud/fog)。當第三使用者認證程序完成後,外地雲端3b或外地霧端5b即可對原始服務端的帳戶提供服務。Then step S30 is executed. The
接著將說明第一使用者認證程序、第二使用者認證程序及第三使用者認證程序的細節。Next, the details of the first user authentication process, the second user authentication process, and the third user authentication process will be explained.
首先說明第一使用者認證程序(亦即步驟S24的細節)。圖5是本發明一實施例的第一使用者認證程序的步驟流程圖,並請同時參考圖1至圖4。First, the first user authentication procedure (that is, the details of step S24) will be explained. FIG. 5 is a flowchart of the steps of the first user authentication procedure according to an embodiment of the present invention, and please refer to FIGS. 1 to 4 at the same time.
如圖5所示,首先步驟S241被執行,通用代理伺服器2接收使用者設備6回傳的登入選項。As shown in FIG. 5, first step S241 is executed, and the
當使用者設備6選擇以原始邊界4a做為登入選項時(亦即原始服務端為原始邊界4a),步驟S242被執行,控制模組21執行一第一原始服務端認證子程序A,亦即原始服務端為外地邊界4a時,外地邊界4a進行的認證程序(其細節請參考圖8)。當第一原始服務端認證子程序A完成時,步驟S243被執行,控制模組21執行一第一外地服務端認證子程序B,亦即外地服務端為使用802.1x的外地霧端5b時,控制模組21及外地霧端5b進行的認證程序(其細節請參考圖9)。當步驟S243完成後,edge-to-fog(802.1x)的認證可完成,外地霧端5b可對邊界4a的帳戶提供服務。When the
當使用者設備6選擇以原始雲端3a做為登入選項時(亦即原始服務端為原始雲端3a),步驟S244被執行,控制模組21執行一第二原始服務端認證子程序C。第二原始服務端認證子程序C定義為當原始服務端為原始雲端3a或使用OIDC的原始霧端5a時,控制模組21及原始雲端3a(或原始霧端5a)進行的認證程序(其細節請參考圖10)。當第二原始服務端認證子程序C完成時,步驟S245被執行,控制模組21執行第一外地服務端認證子程序B。當步驟S245完成後,cloud-to-fog(802.1x)的認證可完成,外地霧端5b可對原始雲端3a的帳戶提供服務。When the
而當使用者設備6選擇以原始霧端5a做為登入選項時(亦即原始服務端為原始霧端5a),步驟S246被執行,控制模組21確認原始霧端5a的通訊協定是否為802.1x。When the
當原始霧端5a的通訊協定為802.1x時,步驟S247被執行,控制模組21執行一第三原始服務端認證子程序D,亦即當原始服務端為使用802.1x的原始霧端5a時,控制模組21及原始霧端5a進行的認證程序(其細節請參考圖11)。當步驟S247完成時,步驟S249被執行,控制模組執行第一外地服務端認證子程序B。當步驟S249完成時,fog(802.1x)-to-fog(802.1x)的認證可完成,使用802.1x的外地霧端5b可對原始霧端5a的帳戶提供服務。When the communication protocol of the
而當原始霧端5a的通訊協定不是802.1x,而是OIDC時,步驟S248被執行,控制模組21執行第二原始服務端認證子程序C。當步驟S248完成時,步驟S249被執行,控制模組執行第一外地服務端認證子程序B。當步驟S249完成時,fog(OIDC)-to-fog(802.1x)的認證可完成,使用802.1x的外地霧端5b可對原始霧端5a的帳戶提供服務。When the communication protocol of the
藉此,第一使用者認證程序的細節已可被理解。In this way, the details of the first user authentication procedure can be understood.
接著說明第二使用者認證程序的細節(亦即步驟S26的細節)。圖6是本發明一實施例的第二使用者認證程序的步驟流程圖,並請同時參考圖1至圖4。Next, the details of the second user authentication procedure (that is, the details of step S26) will be described. FIG. 6 is a flowchart of steps of a second user authentication procedure according to an embodiment of the present invention, and please refer to FIGS. 1 to 4 at the same time.
如圖6所示,首先步驟S261被執行,通用代理伺服器2接收使用者設備6回傳的登入選項。As shown in FIG. 6, first step S261 is executed, and the
當使用者設備6選擇以原始邊界4a做為登入選項時(亦即原始服務端為原始邊界4a),步驟S262被執行,控制模組21執行一第二外地服務端認證子程序E。第二外地服務端認證子程序E定義為當原始服務端為原始邊界4a,且外地服務端為外地邊界4b時,控制模組21、原始邊界4a及外地邊界4b所需進行的認證程序(其細節請參考圖12)。當步驟S262完成,且外地邊界4b所需的EPS-AKA認證亦完成時,edge-to-edge的認證可完成,外地邊界4b可對原始邊界4a的帳戶提供服務。在一實施例中,控制模組21可指示vHSS 27提供EPS-AKA的認證所需的認證向量,而外地邊界4b與使用者設備6之間將藉由此認證向量進行EPS-AKA的認證,例如外地邊界4b可根據認證向量向使用者設備6發出驗證挑戰,而使用者設備6可做出認證回應。When the
而當使用者設備6選擇以原始雲端3a做為登入選項時(亦即原始服務端為原始雲端3a),步驟S263被執行,控制模組21執行一第四原始服務端認證子程序F。第四原始服務端認證子程序F定義為當原始服務端為原始雲端3a或使用OIDC的原始霧端5a,且外地服務端為外地邊界4b時,控制模組21及原始雲端3a(或原始霧端5a)進行的認證程序(其細節請參考圖13)。當步驟S263完成,且外地邊界4b所需的EPS-AKA認證亦完成時,cloud-to-edge的認證可完成,外地邊界4b可對原始雲端3a的帳戶提供服務。When the
而當使用者設備6選擇以原始霧端5a做為登入選項時(亦即原始服務端為原始霧端5a),步驟S264被執行,控制模組21確認原始霧端5a的通訊協定是否為802.1x。When the
當原始服務端(霧端5a)的通訊協定為802.1x時,步驟S265被執行,控制模組21執行第三原始服務端認證子程序D。當步驟S265完成時,且外地邊界4b所需的EPS-AKA認證亦完成時(S266(a)、S266(b),fog(802.1x)-to-edge的認證可完成,外地邊界4b可對原始霧端5a(802.1x)的帳戶提供服務。When the communication protocol of the original server (fog terminal 5a) is 802.1x, step S265 is executed, and the
而當原始霧端5a的通訊協定為OIDC時,步驟S267被執行,控制模組21執行第四原始服務端認證子程序F。當步驟S267完成,且外地邊界4b所需的的EPS-AKA認證亦完成時fog(OIDC)-to-edge的認證可完成,外地邊界4b可對原始霧端5a(OIDC)的帳戶提供服務。When the communication protocol of the
藉此,第二使用者認證程序的細節已可被理解。In this way, the details of the second user authentication procedure can be understood.
接著說明第三使用者認證程序的細節(亦即步驟S30的細節)。圖7是本發明一實施例的第三使用者認證程序的步驟流程圖,並請同時參考圖1至圖4。Next, the details of the third user authentication procedure (that is, the details of step S30) will be described. FIG. 7 is a flowchart of steps of a third user authentication procedure according to an embodiment of the present invention, and please refer to FIGS. 1 to 4 at the same time.
如圖7所示,首先步驟S301被執行,通用代理伺服器2接收使用者設備6回傳的登入選項。As shown in FIG. 7, first step S301 is executed, and the
當登入選項為原始雲端3a時,步驟S302被執行,控制模組21執行一第五原始服務端認證子程序G。第五原始服務端認證子程序G定義為當原始服務端為原始雲端3a,且外地服務端為外地雲端3b或使用OIDC的外地霧端5b時,控制模組21及原始雲端3a進行的認證程序(其細節請參考圖14)。當步驟S302完成時,步驟S303(a)被執行,控制模組21可提供一認證權證(identify token)給vIdP 22,接著步驟S303(b)被執行,控制模組21指示vIdP 22將認證權證傳送至外地雲端3b(或外地霧端5b),而外地雲端3b(或外地霧端5b)可藉由認證權證對原始雲端3a的帳戶開放權限,並提供服務。藉此,cloud-to-cloud/fog(OIDC)的認證可完成。When the login option is the
當登入選項為原始邊界4a時,步驟S304被執行,控制模組執行第一原始服務端認證子程序A。當步驟S304完成,S305(a)~S305(c)被執行,控制模組21可創造一認證權證,並指示vIdP 22將認證權證傳送至外地雲端3b(或外地霧端5b,外地雲端3b(或外地霧端5b)可藉由認證權證對原始邊界4a的帳戶開放權限。藉此,edge-to-cloud/fog(OIDC)的認證可完成。When the login option is the
當登入選項為原始霧端5a時,步驟S306被執行,控制模組判斷原始霧端5a的通訊協定是否為802.1x。When the login option is the
若原始霧端5a的通訊協定並非802.1x,而是OIDC時,步驟S307被執行,控制模組21執行一第六原始服務端認證子程序H。第六原始服務端認證子程序H定義為當原始服務端為使用OIDC的霧端5a,且外地服務端為外地雲端3b或使用OIDC的外地霧端5b時,控制模組21及原始霧端5a必須進行的認證程序(其細節請參考圖15)。當第六原始服務端認證子程序H完成時,fog(OIDC)-to-cloud/fog(OIDC)的認證可完成。If the communication protocol of the
若原始霧端5a的通訊協定為802.1x時,S308被執行,控制模組21執行第三原始服務端認證子程序D。當第三原始服務端認證子程序D後,步驟S309(a)~S309(c)可被執行,控制模組21可創造認證權證,並指示vIdP 22將認證權證傳送至外地雲端3b(或外地霧端5b),外地雲端3b(或外地霧端5b)可藉由認證權證對原始霧端5a的帳戶開放權限。藉此,fog(802.1x)-to-cloud/fog(OIDC)的認證可完成。If the communication protocol of the
藉此,第三使用者認證程序的細節可被理解。In this way, the details of the third user authentication procedure can be understood.
此外,為使說明更清楚,以下列出第一原始服務端認證子程序A至第六原始服務端認證子H適用的跨界服務。In addition, to make the description clearer, the following lists the cross-border services applicable to the first original server authentication sub-program A to the sixth original server authentication sub H.
第一原始服務端認證子程序A可適用於edge-to-fog(802.1x)、edge-to-cloud及edge-to-fog(OIDC)等跨界服務,且不限於此。The first original server authentication subroutine A can be applied to cross-border services such as edge-to-fog (802.1x), edge-to-cloud and edge-to-fog (OIDC), and is not limited to this.
第一外地服務端認證子程序B可適用於edge-to-fog(802.1x)、cloud-to-fog(802.1x)、fog(OIDC)-to-fog(802.1x)及fog(802.1x)-to-fog(802.1x)等跨界服務,且不限於此。The first foreign server authentication subroutine B can be applied to edge-to-fog (802.1x), cloud-to-fog (802.1x), fog (OIDC)-to-fog (802.1x) and fog (802.1x) -to-fog (802.1x) and other cross-border services, but not limited to this.
第二原始服務端認證子程序C可適用於cloud-to-fog(802.1x)及(OIDC)-to-fog(802.1x)等跨界服務,且不限於此。The second original server authentication subroutine C can be applied to cross-border services such as cloud-to-fog (802.1x) and (OIDC)-to-fog (802.1x), and is not limited to this.
第三原始服務端認證子程序D可適用於fog(802.1x)-to-fog(802.1x)、fog(802.1x)-to-fog(OIDC)、fog(802.1x)-to-edge、fog(802.1x)-to-cloud等跨界服務,且不限於此。The third original server authentication subroutine D can be applied to fog(802.1x)-to-fog(802.1x), fog(802.1x)-to-fog(OIDC), fog(802.1x)-to-edge, fog (802.1x)-to-cloud and other cross-border services, but not limited to this.
第二外地服務端認證子程序E可適用於edge-to-edge等跨界服務,且不限於此。The second foreign server authentication subroutine E can be applied to cross-border services such as edge-to-edge, and is not limited to this.
第四原始服務端認證子程序F可適用於cloud-to-edge及fog(OIDC)-to-edge等跨界服務,且不限於此。The fourth original server authentication subroutine F can be applied to cross-border services such as cloud-to-edge and fog(OIDC)-to-edge, and is not limited to this.
第五原始服務端認證子程序G可適用於cloud-to-cloud及cloud-to-fog(OIDC)等跨界服務,且不限於此。The fifth original server authentication subroutine G can be applied to cross-border services such as cloud-to-cloud and cloud-to-fog (OIDC), and is not limited to this.
第六原始服務端認證子程序H可適用於fog(OIDC)-to-cloud及fog(OIDC)-to-fog(OIDC)等跨界服務,且不限於此。The sixth original server authentication subroutine H can be applied to cross-border services such as fog(OIDC)-to-cloud and fog(OIDC)-to-fog(OIDC), and is not limited to this.
接著將第一原始服務端認證子程序A至第六原始服務端認證子H適用的情況的細節。需再次注意的是,以下各流程步驟可能會省略轉發端轉發訊息的步驟,但實際上各服務端與通用代理伺服器2之間將透過轉發端轉發訊息。Then the first original server authentication subroutine A to the sixth original server authentication sub H are applicable to the details. It should be noted again that the following steps of the process may omit the step of forwarding the message at the forwarding end, but in fact, each server and the
首先說明第一原始服務端認證子程序A。圖8是本發明一實施例的第一原始服務端認證子程序A的步驟流程圖,並請同時參考圖1至圖7。First, the first original server authentication subroutine A will be explained. FIG. 8 is a flowchart of the steps of the first original server authentication subroutine A according to an embodiment of the present invention, and please refer to FIG. 1 to FIG. 7 at the same time.
如圖8所示,首先步驟A1(a)被執行,控制模組21啟動vUE 23。接著步驟A1(b)被執行,控制模組21將來自使用者設備6的第二格式服務請求訊息(UE login request)轉換為一認證請求訊息。在一實施例中,第二格式服務請求訊息可包含使用者設備6的一國際移動用戶辨識碼(international mobile subscriber identity,IMSI),而轉換後的認證請求訊息亦包含IMSI的資訊。由於IMSI是由原始服務端提供,因此原始服務端可辨識IMSI是否合法。As shown in FIG. 8, first step A1(a) is executed, and the
接著步驟A2被執行,控制模組21指示vUE 23與原始邊界4a進行通訊,並傳送認證請求訊息至原始邊界4a。在一實施例中,當原始邊界4a接收認證請求訊息,即可辨識認證請求訊息IMSI是否合法。當確認IMSI合法時,原始邊界4a的HSS可產生一認證請求回應訊息,而原始邊界4a的MME可將認證請求回應訊息轉換成一驗證挑戰,並回傳至vUE 23。在一實施例中,認證請求回應訊息可包含一認證向量,認證向量可包含一期望回應(XRES)、一認證值(AUTN)、一亂數(RAND)及一通信期金鑰(Kasme),而驗證挑戰可包含期望回應(XRES)、認證值(AUTN)及亂數(RAND),但不限於此。Then step A2 is executed, the
接著步驟A3被執行,控制模組21判斷vUE 23是否接收到原始邊界4a回傳的驗證挑戰。若未收到,則重新執行步驟A2。若有接收,則步驟A4被執行,控制模組21指示vUE 23將驗證挑戰傳送至使用者設備6。在一實施例中,使用者設備6可根據驗證挑戰執行EPS-AKA之驗證流程,例如產生驗證挑戰回應。Then step A3 is executed, and the
接著步驟A5被執行,控制模組21判斷vUE 23是否接收到使用者設備6回傳的驗證挑戰回應。若未收到,則重新執行步驟A4。若有收到,則步驟A6被執行,控制模組21指示vUE 23傳送驗證挑戰回應至原始邊界4a的MME。MME可判斷驗證挑戰回應是否正確,當驗證挑戰回應正確時,邊界4a可回傳一驗證成功訊息。Then step A5 is executed, and the
因此,步驟A7被執行,控制模組21判斷vUE 23是否接收到MME回傳的驗證成功訊息。若有收到,則第一原始服務端認證子程序A完成,亦即原始邊界4a所需的認證已完成,而接著可進行外地服務端所需的認證,例如產生外地雲端3b或外地霧端5b(OIDC)所需的權證認證或進行外地霧端5b(802.1x)所需的第一外地服務端認證子程序B。若未收到,則步驟A8被執行,通用代理伺服器2傳送一驗證失敗訊息至使用者設備6,並停止運作。Therefore, step A7 is executed, and the
藉此,第一原始服務端認證子程序A的細節可被理解。In this way, the details of the first original server authentication subroutine A can be understood.
接著將說明第一外地服務端認證子程序B的細節。圖9是本發明一實施例的第一外地服務端認證子程序B的步驟流程圖,並請同時參考圖1至圖7。Next, the details of the first foreign server authentication subroutine B will be explained. FIG. 9 is a flowchart of the steps of the first foreign server authentication subroutine B according to an embodiment of the present invention, and please refer to FIG. 1 to FIG. 7 at the same time.
如圖9所示,首先步驟B1被執行,控制模組21提供使用者記錄至vAS 28,使用者記錄可包含用戶憑證(users credentials)等資料。接著B2被執行,當原始服務端的認證完成時,控制模組21指示vAS 28產生一遠端認證撥接使用者服務存取挑戰(remote authentication dial in user service access challenge,以下簡稱為RADIUS挑戰)。As shown in FIG. 9, first step B1 is executed, and the
接著步驟B3被執行,控制模組21指示vAS 28將RADIUS挑戰傳送至外地霧端5b(802.1x)的存取節點(AP)。當存取節點接收RADIUS挑戰時,存取節點可將RADIUS挑戰轉換成802.1x認證所需的一擴展認證協議請求(摘要5)訊息(extensible authentication protocol request/ Message-Digest Algorithm 5,EAP-req/MD5),並傳送至使用者設備6。使用者設備6可根據RADIUS挑戰產生一擴展認證協議(摘要5)回應(EAP response/ MD5,EAP-res/MD5),並回傳至存取節點。當存取節點接收EAP-res/MD5,並確認正確後,可將EAP-res/MD5轉換成一遠端認證撥接使用者服務存取請求(RADIUS access request,以下簡稱為RADIUS存取請求),並傳送RADIUS存取需求至通用代理伺服器2的vAS 28。Then step B3 is executed, and the
接著,步驟B4被執行,控制模組21判斷vAS 28是否接收到傳送RADIUS存取請求。若未收到,則重新執行步驟B3。若有收到,則步驟B5被執行,控制模組21指示vAS 28回傳一遠端認證撥接使用者服務存取同意訊息(RADIUS access accept,以下簡稱為RADIUS存取同意訊息)至存取節點。Next, step B4 is executed, and the
需注意的是,當存取節點(AP)接收RADIUS存取同意訊息,存取節點可傳送一擴展認證協議成功訊息(EAP-success)至使用者設備6,此時外地霧端5b(802.1x)即可根據EAP-success對使用者設備6提供服務。It should be noted that when the access node (AP) receives the RADIUS access consent message, the access node can send an extended authentication protocol success message (EAP-success) to the
藉此,第一外地服務端認證子程序B的細節可被理解。In this way, the details of the first foreign server authentication subroutine B can be understood.
接著說明第二原始服務端認證子程序C的細節。圖10是本發明一實施例的第二原始服務端認證子程序C的步驟流程圖,並請同時參考圖1至圖9。Next, the details of the second original server authentication subroutine C will be explained. FIG. 10 is a flowchart of the steps of the second original server authentication subroutine C according to an embodiment of the present invention, and please refer to FIGS. 1 to 9 at the same time.
如圖10所示,步驟C1被執行,控制模組21產生原始雲端3a或原始霧端5a(OIDC)的一帳戶的一登入訊息(包含帳戶的帳號及密碼),其中帳號及密碼的資訊可來自使用者設備6先前傳送的服務請求訊息或認證請求訊息,但不限於此。As shown in FIG. 10, step C1 is executed, and the
接著步驟C2被執行,控制模組21啟動vUSER 26。接著步驟C3被執行,控制模組21指示vUSER 26傳送登入訊息至原始雲端3a或原始霧端5a(OIDC),並透過原始雲端3a或原始霧端5a(OIDC)校驗帳號及密碼是否正確。Then step C2 is executed, and the
接著步驟C4被執行,控制模組21判斷vUSER 26是否接收到原始雲端3a或原始霧端5a(OIDC)回傳的一登入成功訊息。若未收到,則重新進行步驟C3。若有收到,則第二原始服務端認證子程序C完成,接著可進行外地服務端所需的認證,例如第一外地服務端認證子程序B。Then step C4 is executed, and the
藉此,第二原始服務端認證子程序C已可被理解。In this way, the second original server authentication subroutine C can be understood.
接著說明第三原始服務端認證子程序D的細節。圖11是本發明一實施例的第三原始服務端認證子程序D的步驟流程圖,並請同時參考圖1至圖10。Next, the details of the third original server authentication subroutine D will be explained. FIG. 11 is a flowchart of the steps of the third original server authentication subroutine D according to an embodiment of the present invention, and please refer to FIGS. 1 to 10 at the same time.
如圖11所示,首先步驟D1被執行,控制模組21啟動vUSER 26。As shown in FIG. 11, first step D1 is executed, and the
接著步驟D2被執行,控制模組21指示vUSER 26傳送一基於區域網路的擴展認證協議開始請求訊息(EAP over local area network,EAPOL start request)至原始霧端5a(802.1x)的AS。Then step D2 is executed, the
接著步驟D3被執行,控制模組21判斷是否通用代理伺服器2接收到原始霧端5a(802.1x)回傳的一擴展認證協議請求(身份)訊息 (EAP-req/ID)。Then step D3 is executed, and the
若未收到EAP-req/ID,則重新執行步驟D2。若有收到EAP-req/ID,則步驟D4被執行,控制模組21控制通用代理伺服器2將EAP-req/ID傳送至使用者設備6。If the EAP-req/ID is not received, perform step D2 again. If the EAP-req/ID is received, step D4 is executed, and the
接著步驟D5被執行,控制模組21判斷通用代理伺服器2是否接收到使用者設備6回傳的一擴展認證協議(身份)回應(EAP-res/ID)。Then step D5 is executed, and the
若未收到EAP-res/ID,則重新執行步驟D4。若有收到EAP-res/ID,則步驟D6被執行,控制模組21控制通用代理伺服器2將EAP-res/ID傳送至原始霧端5a(802.1x)的AS。If the EAP-res/ID is not received, perform step D4 again. If EAP-res/ID is received, step D6 is executed, and the
接著步驟D7被執行,控制模組21判斷通用代理伺服器2是否接收到原始霧端5a(802.1x)的AS回傳的EAP-req/MD5。Then step D7 is executed, and the
若未收到EAP-req/MD5,則重新執行步驟D6。若有收到EAP-req/MD5,則步驟D8被執行,通用代理伺服器2將EAP-req/MD5傳送至使用者設備6。If EAP-req/MD5 is not received, perform step D6 again. If EAP-req/MD5 is received, step D8 is executed, and the
接著步驟D9被執行,控制模組21判斷通用代理伺服器2是否接收到使用者設備6回傳的EAP-res/MD5。Then step D9 is executed, and the
若未收到EAP-res/MD5,則重新執行步驟D8。若有收到EAP-res/MD5,則步驟D10被執行,控制模組21控制通用代理伺服器2將EAP-res/MD5傳送至AS。If EAP-res/MD5 is not received, step D8 is executed again. If EAP-res/MD5 is received, step D10 is executed, and the
接著步驟D11被執行,控制模組21判斷通用代理伺服器2是否接收到AS回傳的EAP-success。Then step D11 is executed, and the
若未收到EAP-success,則步驟D12被執行,控制模組21控制通用代理伺服器2傳送EAP認證失敗訊息至使用者設備6,並停止運作。若有收到EAP-success,則第三原始服務端認證子程序D可完成,亦即原始霧端5a(802.1x)所需的認證已完成,而接著可進行外地服務端所需的認證,例如第一外地服務端認證子程序B、EPS-AKA認證或權證認證等。If EAP-success is not received, step D12 is executed, and the
藉此,第三原始服務端認證子程序D的細節已可被理解。In this way, the details of the third original server authentication subroutine D can be understood.
接著說明第二外地服務端認證子程序E的細節。圖12是本發明一實施例的第二外地服務端認證子程序E的步驟流程圖,並請同時參考圖1至圖11。Next, the details of the second foreign server authentication subroutine E will be explained. 12 is a flowchart of the steps of the second foreign server authentication subroutine E according to an embodiment of the present invention, and please refer to FIGS. 1 to 11 at the same time.
如圖12所示,首先步驟E1(a)被執行,控制模組21啟動vMME 24及vHSS 27,並將使用者設備6重新導向(例如重新連結)至外地邊界4b的MME。接著步驟E1(b)被執行,控制模組21等待MME傳送的訊息。As shown in FIG. 12, first step E1(a) is executed. The
之後步驟E2被執行,控制模組21接收MME傳送的認證請求訊息(包含IMSI),其中認證請求訊息可例如是轉換自使用者設備6發出的服務請求訊息。After step E2 is executed, the
之後步驟E3被執行,控制模組21指示vMME 24傳送認證請求訊息至原始邊界5a的HSS,以確認IMSI是否合法。當IMSI合法時,原始邊界5a即可產生EPS-AKA認證所需的認證向量,並回傳包含認證向量的認證回應訊息。After step E3 is executed, the
接著步驟E4被執行,控制模組21判斷通用代理伺服器2是否接收到原始邊界5a回傳的認證回應訊息。Then step E4 is executed, and the
若未收到,則重新執行步驟E3。若有收到,則步驟E5被執行,控制模組21指示vHSS 27將認證回應訊息傳送至外地邊界5b的MME。If not received, perform step E3 again. If it is received, step E5 is executed, and the
在一實施例中,當外地邊界5b的MME接收到認證回應訊息,即可根據認證向量產生認證挑戰至使用者設備6。當使用者設備6回傳正確的認證挑戰回應,外地邊界5b即可提供服務給使用者設備6。In one embodiment, when the MME at the
藉此,第二外地服務端認證子程序E已可被理解。In this way, the second foreign server authentication subroutine E can be understood.
接著將說明第四原始服務端認證子程序F的細節。圖13是本發明一實施例的第四原始服務端認證子程序F的步驟流程圖,並請同時參考圖1至圖12。Next, the details of the fourth original server authentication subroutine F will be explained. FIG. 13 is a flowchart of the steps of the fourth original server authentication subroutine F according to an embodiment of the present invention, and please refer to FIGS. 1 to 12 at the same time.
如圖13所示,首先步驟F1被執行,當使用者設備6選擇登入選項為原始雲端3a或原始霧端5a(OIDC)時,控制模組21啟動vUSER 26及vHSS 27。As shown in FIG. 13, first step F1 is executed. When the
接著步驟F2被執行,通用代理伺服器2將使用者設備6重新導向至外地邊界4b的MME。之後,使用者設備6可傳送具備IMSI的一連結請求訊息至外地邊界4b 的MME,而外地邊界4b 的MME可將連結請求訊息轉換成具備IMSI資訊的驗證請求訊息,並將驗證請求訊息傳送至通用代理伺服器2。Then step F2 is executed, and the
接著步驟F3及F4被執行,通用代理伺服器2接收MME傳送的認證請求訊息,控制模組21將認證請求訊息轉換成原始雲端3a或原始霧端5a(OIDC)能夠讀取的一般網站登入訊息(例如以帳號及密碼進行登入的機制)。Then steps F3 and F4 are executed, the
接著步驟F5被執行,控制模組21指示vUSER 26將一般網站登入訊息傳送至原始雲端3a或原始霧端5a(OIDC)。在一實施例中,原始雲端3a或原始霧端5a(OIDC)會校驗帳號及密碼是否正確,若正確則會回傳包含認證向量的一認證聲明(claim),反之則停止動作。Then step F5 is executed, and the
因此步驟F6被執行,控制模組21判斷通用代理伺服器2是否接收到認證聲明。Therefore, step F6 is executed, and the
若未收到,則重新執行步驟F5。若有收到,則步驟F7(a)~F7(c)被執行,控制模組21停止vUSER 26的運作,並將認證聲明轉換成包含認證向量的一認證請求回應訊息,以做為外地邊界4b的MME於步驟F3所發出的認證請求訊息的回應,並指示vHSS 27將認證請求回應訊息傳送至外地邊界4b的MME。之後,當外地邊界4b的MME收到認證請求回應訊息時,外地邊界4b即可自行根據認證向量對使用者設備6執行EPS-AKA的相關認證,並根據認證結果決定是否對使用者設備6提供服務。If not received, perform step F5 again. If received, steps F7(a)~F7(c) are executed, and the
藉此第四原始服務端認證子程序F的細節已可被理解。Therefore, the details of the fourth original server authentication subroutine F can be understood.
接著將說明第五原始服務端認證子程序G的細節。圖14是本發明一實施例的第五原始服務端認證子程序G的步驟流程圖,並請同時參考圖1至圖13。Next, the details of the fifth original server authentication subroutine G will be explained. FIG. 14 is a flowchart of the steps of the fifth original server authentication subroutine G according to an embodiment of the present invention, and please refer to FIGS. 1 to 13 at the same time.
如圖14所示,首先步驟G1被執行,當外地服務端為外地雲端3b或外地霧端5b(OIDC),且使用者設備6選擇以原始雲端3a做為登入選項時,控制模組21啟動vRP 25。As shown in Figure 14, first step G1 is executed. When the foreign server is the
接著步驟G2被執行,控制模組21指示vRP 25將第三格式認證請求訊息傳送至原始雲端3a。由於原始雲端3a及外地雲端3b(或外地霧端5b)皆使用OIDC,因此原始雲端3a可直接讀取第三格式認證請求訊息,且當原始服務端判斷第三格式認證請求訊息中的使用者資訊正確時,可回傳一認證權證(token)。Then step G2 is executed, and the
接著步驟G3被執行,控制模組21判斷通用代理伺服器2是否接收到原始雲端3a傳送的認證權證。Then step G3 is executed, and the
若未收到,則重新執行步驟G2。若有收到,則步驟G4被執行,控制模組21停止vRP 25的運作,並控制通用代理伺服器2將認證權證傳送至外地雲端3a或外地霧端5a(OIDC)。之後,外地雲端3a或外地霧端5a(OIDC)即可根據認證權證決定是否對使用者設備6提供服務。If it is not received, step G2 is executed again. If it is received, step G4 is executed, the
藉此,第五原始服務端認證子程序G的細節已可被理解。In this way, the details of the fifth original server authentication subroutine G can be understood.
接著說明第六原始服務端認證子程序H的細節。圖15是本發明一實施例的第六原始服務端認證子程序H的步驟流程圖,並請同時參考圖1至圖14。Next, the details of the sixth original server authentication subroutine H will be explained. 15 is a flowchart of the steps of the sixth original server authentication subroutine H according to an embodiment of the present invention, and please refer to FIGS. 1 to 14 at the same time.
如圖15所示,首先步驟H1被執行,當外地服務端為外地雲端3b或外地霧端5b(OIDC),且使用者設備6選擇以原始霧端5a(OIDC)做為登入選項時,控制模組21啟動vUSER 26及vRP 25。As shown in Figure 15, first step H1 is executed. When the foreign server is the
接著步驟H2被執行,控制模組21指示vRP 25將第三格式的認證請求訊息傳送至原始霧端5a(OIDC)。由於原始霧端5a及外地雲端3b(或外地霧端5b)皆使用OIDC,因此原始霧端5a可直接讀取第三格式認證請求訊息,而當原始霧端5a判斷第三格式認證請求訊息中的使用者資訊正確時,原始霧端5a的IdP可回傳一使用者驗證執行訊息(authenticate user message)。Then step H2 is executed, the
接著步驟H3被執行,控制模組21判斷是否接收到使用者驗證執行訊息。Then step H3 is executed, and the
若未收到,則重新執行步驟H2。若有收到,則執行步驟H4,控制模組21指示vRP 25及vUSER 26與使用者設備6與原始霧端5a的Idp執行一使用者驗證機制,舉例來說,vRP 25會傳送第三格式服務請求訊息(auth request passing client_id)至原始霧端5a的Idp,並透過vUSER 26的協助來驗證使用者,進而根據驗證結果提供認證權證(ID token)。因此,當使用者驗證機制完成後(例如驗證成功),原始霧端5a的Idp將傳送認證權證至通用代理伺服器2。If not received, perform step H2 again. If it is received, step H4 is executed, and the
接著步驟H5被執行,控制模組21判斷通用代理伺服器2是否接收到認證權證。Then step H5 is executed, and the
若未收到,則控制模組21通知使用者設備2認證失敗。若有收到,則執行步驟H6,控制模組21指示vIdP 22將認證權證傳送至外地雲端3b或外地霧端5b(OIDC)。之後,外地雲端3b或外地霧端5b(OIDC)即可根據認證權證決定是否對使用者設備6提供服務。If it is not received, the
藉此,第六原始服務端認證子程序H已可被理解。In this way, the sixth original server authentication subroutine H can be understood.
此外,通用代理伺服器2可根據邏輯流程(logic flow)建立一轉發表(forwarding table),以在各種跨界認證情況下決定那些運作模組22~28需要啟動,且哪些映射(mapping)需要完成。In addition, the
以下說明邏輯流程及轉發表。The following describes the logic flow and forwarding table.
在一實施例中,邏輯流程起始於通用代理伺服器2與轉發端進行連接。接著,通用代理伺服器2必須找出原始轉發端及外地轉發端的身份。假如原始轉發端為霧端轉發端9a,控制模組21必須判斷原始霧端5a使用的通訊協定是否為OIDC,假如不是,則啟動vUSER 36以對應原始霧端5a。假如原始轉發端為雲端轉發端7a,控制模組21根據外地轉發端的身份來決定啟動vUSER 26或vRP 25,以對應原始雲端3a。假如原始轉發端為邊界轉發端8a,控制模組21將根據外地轉發端的身份來決定啟動vMME 24或vUE 23,以對應原始邊界4a。In one embodiment, the logic flow starts with the connection between the
控制模組21亦必須決定外地轉發端的身份。假如外地轉發端為邊界轉發端8b,控制模組21啟動vHSS 27以對應外地邊界4b。假如外地轉發端為雲端轉發端7b,控制模組21啟動vIdP 22以對應外地雲端3b。假如外地轉發端為霧端轉發端9b,控制模組21須判斷外地霧端5b是否使用OIDC,假如是,則啟動vIdP 22以對應外地霧端5b;假如否,則啟動vAS 28。The
此外,控制模組21亦須決定要執行的映射,以將訊息從一通訊協定轉換為另一通訊協定。舉例來說,在edge-to-cloud時,通用代理伺服器2可藉由將“Login with IMSI”訊息轉換為‘Auth Request (IMSI)”訊息來執行3GPP EPS-AKA與OIDC之間的映射,藉此與邊界端進行通訊。In addition, the
圖16是本發明一實施例的通用代理伺服器2的轉發表的示意圖。藉由轉發表,控制模組21可迅速得知各種跨界驗證所需啟動的運作模組22~28及所需執行的映射。FIG. 16 is a schematic diagram of the forwarding table of the
此外,在一實施例中,通用代理伺服器2的功能可拓展,以因應新加入的通訊協定。當加入新的通訊協定時,通用代理伺服器2的邏輯流程、轉發表可隨之調整。藉此,可知邏輯流程及轉發表的細節。In addition, in one embodiment, the functions of the
此外,為輔助讀者理解上述子程序(圖8~圖15)的內容,申請人亦提供該6個常用的跨界認證的傳輸示意圖以供參考,分別顯示於圖17至圖22。圖17是本發明一實施例的edge-to-cloud的認證過程的傳輸示意圖,圖18是本發明一實施例的edge-to-fog(OIDC)的認證過程的傳輸示意圖,圖19是本發明一實施例的edge-to-fog(802.1x)的認證過程的傳輸示意圖,圖20是本發明一實施例的cloud-to-edge的認證過程的傳輸示意圖,圖21是本發明一實施例的cloud-to-fog(OIDC)的認證過程的傳輸示意圖,圖22是本發明一實施例的cloud-to-fog(802.1x)的認證過程的傳輸示意圖。In addition, in order to assist readers in understanding the contents of the above subroutines (Figures 8-15), the applicant also provides the six commonly used cross-border authentication transmission diagrams for reference, which are shown in Figures 17 to 22 respectively. Figure 17 is a schematic diagram of the transmission of the edge-to-cloud authentication process according to an embodiment of the present invention. Figure 18 is a schematic diagram of the transmission of the edge-to-fog (OIDC) authentication process according to an embodiment of the present invention. A schematic diagram of transmission of an edge-to-fog (802.1x) authentication process in an embodiment. FIG. 20 is a schematic diagram of transmission of a cloud-to-edge authentication process according to an embodiment of the present invention, and FIG. 21 is a diagram of an embodiment of the present invention. A schematic diagram of the transmission of the authentication process of cloud-to-fog (OIDC). FIG. 22 is a schematic diagram of the transmission of the authentication process of cloud-to-fog (802.1x) according to an embodiment of the present invention.
本領域技術人員藉由上述傳輸示意圖,可更加理解圖3至圖15的步驟流程。Those skilled in the art can better understand the step flow of FIG. 3 to FIG. 15 by using the above-mentioned transmission schematic diagram.
接著將說明實體插入及查找建立程序。實體插入及查找建立程序用於建立查找資料表單,以及在認證過程中使用查找資料表單。Next, the entity insertion and search establishment procedures will be explained. The entity insertion and search creation process is used to create a search data form and use the search data form in the authentication process.
圖23是本發明一實施例的實體插入及查找建立程序的步驟流程圖,並請同時參考圖1至圖22。此流程可適用於各種跨界服務。FIG. 23 is a flowchart of steps of an entity insertion and search establishment procedure according to an embodiment of the present invention, and please refer to FIGS. 1 to 22 at the same time. This process can be applied to various cross-border services.
首先,步驟S401被執行,當通用代理伺服器2接收來自外地轉發端的服務請求訊息,控制模組21根據服務請求訊息的格式以及外地轉發端的類型,在預先儲存的資料中找出相對應的外地服務端。在一實施例中,步驟S401可執行於圖3的起始階段程序之後,因此控制模組21可透過步驟S13(a)、步驟S14(a)、S15(b)或S15(d)所儲存的外地轉發端的相關資訊找出相對應的外地服務端。First, step S401 is executed. When the
之後步驟S402被執行,控制模組21提供一身分資訊給外地服務端 (以下稱之為foreign ID),並將foreign ID記錄於一查找資料表單中的一外地服務資料欄位。Then step S402 is executed, the
之後步驟S403被執行,控制模組21根據外地服務端進行認證所需的資訊產生一外地連結實體(entry),並提供一身分資訊給該外地連結實體 (以下稱之為foreign connection ID),以及將foreign connection ID記錄於一查找資料表單中的一外地連結資料欄位。在一實施例中,外地連結實體包含了外地服務端進行認證所需的運作模組的資訊、運作模組與轉發端之間的連結關係、運作模組之間的連結關係等,且不限於此。After step S403 is executed, the
之後步驟S404被執行,控制模組21提供一身分資訊給使用者設備6(以下簡稱為User ID),並將User ID記錄於查找資料表單中的一使用者資料欄位。Then step S404 is executed, the
之後,控制模組21等待使用者設備6回傳登入選項(請參考步驟S241)。當使用者設備6回傳登入選項,亦即選擇原始服務端時,步驟S405被執行,控制模組21提供一身分資訊給原始服務端(以下簡稱home ID),並將home ID記錄於查找資料表單中的一原始服務資料欄位。After that, the
之後步驟S406被執行,控制模組21根據原始服務端進行認證所需的資訊產生一原始連結實體,並提供一身分資訊給該原始連結實體 (以下稱之為home connection ID),並將home connection ID記錄於查找資料表單中的一原始連結資料欄位。在一實施例中,原始連結實體包含了原始服務端進行認證所需的運作模組的資訊、運作模組與轉發端之間的連結關係、運作模組之間的連結關係、使用者設備6提供的資訊(例如IMSI)等,且不限於此。Then step S406 is executed. The
之後步驟S407被執行,控制模組21將原始服務端與外地服務端之間的訊息轉換映射方式記錄於查找資料表單中的一訊息映射(mapping)資料欄位。藉此,此次跨界服務所需的查找資料表單可以被建立。After step S407 is executed, the
接著,控制模組21可根據查找資料表單中的原始服務資料欄位、原始連結資料欄位或訊息映射資料欄位,控制合適的運作模組參與原始服務端所需的認證,並等待原始服務端的認證完成。當原始服務端所需進行的認證完成時,步驟S408被執行,控制模組21執行一查找子程序,其中查找子程序可用於外地服務端所需的認證。藉此,實體插入及查找建立程序可完成。Then, the
接著將說明查找子程序的細節。圖24是本發明一實施例的查找子程序的步驟流程圖,並請同時參考圖1至圖23。Next, the details of the search subroutine will be explained. FIG. 24 is a flowchart of the steps of a search subroutine according to an embodiment of the present invention, and please refer to FIGS. 1 to 23 at the same time.
首先步驟S408(a)被執行,控制模組21取得與此次跨界服務相關的foreign connection ID。在一實施例中,控制模組21可由原始服務端找出相對應的查找資料表單,再從查找資料表單中找出foreign connection ID。First, step S408(a) is executed, and the
接著步驟S408(b)被執行,控制模組21根據foreign connection ID找出外地連結實體,並取得進行外地服務端的認證所需的資料。Then step S408(b) is executed, the
接著步驟S408(c)被執行,控制模組21根據查找資料表單找出相關的forgien ID。Then step S408(c) is executed, and the
接著步驟S408(d)被執行,控制模組21根據查找資料表單找出相關的User ID。Then step S408(d) is executed, and the
接著步驟S408(e)被執行,控制模組21根據查找資料表單找出相關的訊息轉換映射方式。Then step S408(e) is executed, and the
接著,控制模組21可根據外地連結實體、User ID及foreign,控制適合的運作模組進行外地服務端所需進行的認證,以及根據訊息映射資料欄位的資料,將認證過程的訊息轉換為外地服務端支援的通訊協定的格式。Then, the
接著步驟S408(f)被執行,當訊息轉換完成後,控制模組21消除訊息映射資料欄位中的訊息轉換映射方式。Then step S408(f) is executed. When the message conversion is completed, the
接著控制模組21等待外地服務端所需的認證完成。當認證完成時,步驟S408(g)被執行,控制模組21銷毀原始連結實體及外界連結實體。Then the
藉此,查找子程序可完成。With this, the search subroutine can be completed.
此外,本發明的通訊系統1可持續與不同通訊系統建立聯盟關係,使得單一帳號可使用的跨界服務持續增加。In addition, the
藉此,透過本發明的通訊系統及通訊方法,使用者只需具備單一帳戶,即可通用於雲端、邊界及霧端,相較於現有技術,本發明的通訊系統可具備十足便利性。此外,本發明的通訊方法可具備完整的認證機制,具備十足安全性。In this way, through the communication system and communication method of the present invention, users only need to have a single account, which can be used in cloud, border and fog terminals. Compared with the prior art, the communication system of the present invention has full convenience. In addition, the communication method of the present invention can have a complete authentication mechanism and full security.
上述實施例僅係為了方便說明而舉例而已,本發明所主張之權利範圍自應以申請專利範圍所述為準,而非僅限於上述實施例。The above-mentioned embodiments are merely examples for the convenience of description, and the scope of rights claimed in the present invention should be subject to the scope of the patent application, rather than being limited to the above-mentioned embodiments.
1:通訊系統
2:通用代理伺服器
21:控制模組
3a:原始雲端
4a:原始邊界
5a:原始霧端
3b:外地雲端
4b:外地邊界
5b:外地霧端
6:使用者設備
7a、7b:雲端轉發端(CR)
8a、8b:邊界轉發端(ER)
9a、9b:霧端轉發端(FR)
22:虛擬身分提供器(vIdP)
23:虛擬使用者設備(vUE)
24:虛擬移動管理元件(vMME)
25:虛擬中轉元件(vRP)
26:虛擬使用者(vUSER)
27:虛擬家用訂閱者伺服器(vHSS)
28:虛擬驗證伺服器(vAS)
S11~S15(d)、S21~S30、S241~S249、S261~S266、S301~S308、A1~A8、B1~B5、C1~C4、D1~D12、E1(a)~E5、F1~F7、G1~G4、H1~H6、S401~S408、S408(a)~S408(g):步驟1: Communication system
2: Universal proxy server
21:
圖1是本發明一實施例的通訊系統的系統架構圖。 圖2(A)是本發明一實施例的原始服務端及外地服務端所對應的運作模組的彙整示意圖。 圖2(B)是本發明一實施例的通訊方法的步驟流程圖。 圖3是本發明一實施例的通訊方法的起始階段程序的步驟流程圖。 圖4是本發明一實施例的通訊方法的運作階段程序的主要步驟流程圖。 圖5是本發明一實施例的第一使用者認證程序的步驟流程圖。 圖6是本發明一實施例的第二使用者認證程序的步驟流程圖。 圖7是本發明一實施例的第三使用者認證程序的步驟流程圖。 圖8是本發明一實施例的第一原始服務端認證子程序的步驟流程圖。 圖9是本發明一實施例的第一外地服務端認證子程序的步驟流程圖。 圖10是本發明一實施例的第二原始服務端認證子程序的步驟流程圖。 圖11是本發明一實施例的第三原始服務端認證子程序的步驟流程圖。 圖12是本發明一實施例的第二外地服務端認證子程序的步驟流程圖。 圖13是本發明一實施例的第四原始服務端認證子程序的步驟流程圖。 圖14是本發明一實施例的第五原始服務端認證子程序的步驟流程圖。 圖15是本發明一實施例的第六原始服務端認證子程序的步驟流程圖。 圖16是本發明一實施例的通用代理伺服器的轉發表的示意圖。 圖17是本發明一實施例的edge-to-cloud的認證過程的傳輸示意圖。 圖18是本發明一實施例的edge-to-fog(OIDC)的認證過程的傳輸示意圖。 圖19是本發明一實施例的edge-to-fog(802.1x)的認證過程的傳輸示意圖。 圖20是本發明一實施例的cloud-to-edge的認證過程的傳輸示意圖。 圖21是本發明一實施例的cloud-to-fog(OIDC)的認證過程的傳輸示意圖。 圖22是本發明一實施例的cloud-to-fog(802.1x)的認證過程的傳輸示意圖。 圖23是本發明一實施例的實體插入及查找建立程序的步驟流程圖。 圖24是本發明一實施例的查找子程序的步驟流程圖。 FIG. 1 is a system architecture diagram of a communication system according to an embodiment of the present invention. FIG. 2(A) is a schematic diagram of the operation modules corresponding to the original server and the foreign server according to an embodiment of the present invention. Fig. 2(B) is a flow chart of the steps of a communication method according to an embodiment of the present invention. FIG. 3 is a flow chart of the steps of the initial stage program of the communication method according to an embodiment of the present invention. FIG. 4 is a flowchart of the main steps of the operation phase procedure of the communication method according to an embodiment of the present invention. FIG. 5 is a flowchart of the steps of the first user authentication procedure according to an embodiment of the present invention. FIG. 6 is a flowchart of steps of a second user authentication procedure according to an embodiment of the present invention. FIG. 7 is a flowchart of steps of a third user authentication procedure according to an embodiment of the present invention. Fig. 8 is a flowchart of steps of a first original server authentication subroutine according to an embodiment of the present invention. Fig. 9 is a flowchart of steps of a first foreign server authentication subroutine according to an embodiment of the present invention. Fig. 10 is a flowchart of steps of a second original server authentication subroutine according to an embodiment of the present invention. Fig. 11 is a flowchart of steps of a third original server authentication subroutine according to an embodiment of the present invention. Fig. 12 is a flowchart of steps of a second foreign server authentication subroutine according to an embodiment of the present invention. FIG. 13 is a flowchart of the steps of the fourth original server authentication subroutine according to an embodiment of the present invention. FIG. 14 is a flowchart of steps of a fifth original server authentication subroutine according to an embodiment of the present invention. Fig. 15 is a flowchart of steps of a sixth original server authentication subroutine according to an embodiment of the present invention. FIG. 16 is a schematic diagram of a forwarding table of a universal proxy server according to an embodiment of the present invention. FIG. 17 is a schematic diagram of transmission of an edge-to-cloud authentication process according to an embodiment of the present invention. FIG. 18 is a schematic diagram of transmission of an edge-to-fog (OIDC) authentication process according to an embodiment of the present invention. Fig. 19 is a schematic diagram of transmission of an edge-to-fog (802.1x) authentication process according to an embodiment of the present invention. FIG. 20 is a schematic diagram of transmission of a cloud-to-edge authentication process according to an embodiment of the present invention. FIG. 21 is a schematic diagram of transmission of a cloud-to-fog (OIDC) authentication process according to an embodiment of the present invention. Fig. 22 is a schematic diagram of transmission of a cloud-to-fog (802.1x) authentication process according to an embodiment of the present invention. FIG. 23 is a flowchart of steps of an entity insertion and search establishment procedure according to an embodiment of the present invention. Fig. 24 is a flowchart of the steps of a search subroutine according to an embodiment of the present invention.
1:通訊系統 1: Communication system
2:通用代理伺服器 2: Universal proxy server
21:控制模組 21: Control module
3a:原始雲端 3a: Original cloud
4a:原始邊界 4a: original boundary
5a:原始霧端 5a: Original fog end
3b:外地雲端 3b: foreign cloud
4b:外地邊界 4b: foreign border
5b:外地霧端 5b: Fog end in the field
6:使用者設備 6: User equipment
7a、7b:雲端轉發端(CR) 7a, 7b: Cloud forwarding terminal (CR)
8a、8b:邊界轉發端(ER) 8a, 8b: border forwarding end (ER)
9a、9b:霧端轉發端(FR) 9a, 9b: Fog end forwarding end (FR)
22:虛擬身分提供器(vIdP) 22: Virtual Identity Provider (vIdP)
23:虛擬使用者設備(vUE) 23: Virtual User Equipment (vUE)
24:虛擬移動管理元件(vMME) 24: Virtual Mobility Management Element (vMME)
25:虛擬中轉元件(vRP) 25: Virtual Relay Component (vRP)
26:虛擬使用者(vUSER) 26: Virtual user (vUSER)
27:虛擬家用訂閱者伺服器(vHSS) 27: Virtual Home Subscriber Server (vHSS)
28:虛擬驗證伺服器(vAS) 28: Virtual Authentication Server (vAS)
Claims (20)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW110103666A TWI745227B (en) | 2021-02-01 | 2021-02-01 | Communication system and communication method for performing third party authentication between home service and foreign service |
US17/356,588 US11502987B2 (en) | 2021-02-01 | 2021-06-24 | Communication system and method for performing third-party authentication between home service end and foreign service end |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW110103666A TWI745227B (en) | 2021-02-01 | 2021-02-01 | Communication system and communication method for performing third party authentication between home service and foreign service |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI745227B true TWI745227B (en) | 2021-11-01 |
TW202232917A TW202232917A (en) | 2022-08-16 |
Family
ID=79907388
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW110103666A TWI745227B (en) | 2021-02-01 | 2021-02-01 | Communication system and communication method for performing third party authentication between home service and foreign service |
Country Status (2)
Country | Link |
---|---|
US (1) | US11502987B2 (en) |
TW (1) | TWI745227B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11937144B2 (en) * | 2021-07-08 | 2024-03-19 | Qualcomm Incorporated | Cooperative user equipment switching |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200169549A1 (en) * | 2017-07-05 | 2020-05-28 | Intel Corporation | Establishing connections between iot devices using authentication tokens |
US20200403994A1 (en) * | 2019-06-19 | 2020-12-24 | Servicenow, Inc. | Discovery and mapping of a cloud-based authentication, authorization, and user management service |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5796393A (en) * | 1996-11-08 | 1998-08-18 | Compuserve Incorporated | System for intergrating an on-line service community with a foreign service |
US7444513B2 (en) * | 2001-05-14 | 2008-10-28 | Nokia Corporiation | Authentication in data communication |
FI20065288A (en) * | 2006-05-03 | 2007-11-04 | Emillion Oy | authentication.pm: |
US20160277261A9 (en) * | 2006-12-29 | 2016-09-22 | Prodea Systems, Inc. | Multi-services application gateway and system employing the same |
US8214853B2 (en) * | 2009-09-02 | 2012-07-03 | Ericsson Television, Inc | Systems and methods for providing content to a subscriber through a foreign service provider and for facilitating the subscriber incurring a fee for viewing the content |
US10795836B2 (en) * | 2017-04-17 | 2020-10-06 | Microsoft Technology Licensing, Llc | Data processing performance enhancement for neural networks using a virtualized data iterator |
-
2021
- 2021-02-01 TW TW110103666A patent/TWI745227B/en active
- 2021-06-24 US US17/356,588 patent/US11502987B2/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200169549A1 (en) * | 2017-07-05 | 2020-05-28 | Intel Corporation | Establishing connections between iot devices using authentication tokens |
US20200403994A1 (en) * | 2019-06-19 | 2020-12-24 | Servicenow, Inc. | Discovery and mapping of a cloud-based authentication, authorization, and user management service |
Non-Patent Citations (3)
Title |
---|
Ali, A., Lin, Y-D., Li, C-Y., and Lai, Y. C. (2020). Transparent 3rd-Party authentication with application mobility for 5G mobile edge computing. In 2020 European Conference on Networks and Communications, EuCNC 2020 (pp. 219-224),Published - Jun 2020. * |
Lin, Y-D., et al., "Proxy-Based Federated Authentication: A Transparent Third-Party Solution for Cloud-Edge Federation," IEEE Network, pp. 220-227, 34(6), Nov. 2020. |
Lin, Y-D., et al., "Proxy-Based Federated Authentication: A Transparent Third-Party Solution for Cloud-Edge Federation," IEEE Network, pp. 220-227, 34(6), Nov. 2020.; * |
Also Published As
Publication number | Publication date |
---|---|
US20220247712A1 (en) | 2022-08-04 |
TW202232917A (en) | 2022-08-16 |
US11502987B2 (en) | 2022-11-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP7035163B2 (en) | Network security management methods and equipment | |
US8522315B2 (en) | Automatic configuration of client terminal in public hot spot | |
JP3864312B2 (en) | 802.1X protocol-based multicast control method | |
JP4782139B2 (en) | Method and system for transparently authenticating mobile users and accessing web services | |
JP6884818B2 (en) | VXLAN implementation methods, network devices, and communication systems | |
US20090217048A1 (en) | Wireless device authentication between different networks | |
US8611859B2 (en) | System and method for providing secure network access in fixed mobile converged telecommunications networks | |
TW201306610A (en) | Automated negotiation and selection of authentication protocols | |
RU2424628C2 (en) | Method and apparatus for interworking authorisation of dual stack operation | |
WO2010000185A1 (en) | A method, apparatus, system and server for network authentication | |
WO2018196587A1 (en) | User authentication method and apparatus in converged network | |
WO2008049017A2 (en) | Authentication interworking | |
US11070355B2 (en) | Profile installation based on privilege level | |
WO2008080351A1 (en) | Wireless local network operation method based on wapi | |
US9241264B2 (en) | Network access authentication for user equipment communicating in multiple networks | |
TWI745227B (en) | Communication system and communication method for performing third party authentication between home service and foreign service | |
US8954547B2 (en) | Method and system for updating the telecommunication network service access conditions of a telecommunication device | |
JP4584776B2 (en) | Gateway device and program | |
TWI755951B (en) | Communication system and communication method | |
US11818572B2 (en) | Multiple authenticated identities for a single wireless association | |
US20240155705A1 (en) | Communication method and apparatus | |
US8170529B1 (en) | Supporting multiple authentication technologies of devices connecting to a wireless network | |
WO2023094373A1 (en) | Method for device commissioning in a network system and network system | |
WO2022229716A1 (en) | Multisession pap/chap support for wwc |